Calls are being made for a Suffolk hospital to “unequivocally apologise” to patients after a bundle of confidential records were found by a dog walker some 37 miles away.
It is understood a list of names - detailing 12 patients' medical history, dates of birth and reasons for admission - plus a doctor's letter containing records were found at Trumpington Meadows nature reserve in Cambridge earlier this week.
Both the West Suffolk Hospital and Information Commissioners' Office (ICO) have launched investigations into the incident, which took place on Sunday.
MORE: Investigation launched after dog walker finds patient records
Hospital chiefs say they are in the process of contacting patients affected to apologise, after the documents were discovered folded up near a sign.
Andy Yacoub, chief executive of Healthwatch Suffolk which represents patients, said the hospital must explain how they will prevent this from happening again: "We would expect the trust to unequivocally apologise to the patients affected by this breach and explain how they will prevent this from happening again.
"We are aware of the improvement plan the trust is working on following its most recent CQC inspection, which includes revising a number of policies and processes.
"It would be our view that, should it not have been included already, it might be prudent to ensure the data protection policy is included within this process."
Hospital bosses, who came under fire recently for a so-called "witch-hunt" which saw doctors asked for fingerprints to identify a whistleblower, said a formal investigation is under way.
MORE: Hospital criticised over 'witch-hunt' to find botched surgery whistleblowerThey added: "We are grateful that this potential data breach has been brought to our attention, and have commenced a formal investigation.
"We will directly contact the small number of patients affected to apologise."
An ICO spokesman added: "People's medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law.
"When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact the people affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects.
"West Suffolk NHS Foundation Trust has made us aware of an incident and we will assess the information provided."
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here